A petite library of essential encryption functions for PHP 7.1+. For legacy PHP version support, look here.
Add dcrypt to your composer.json file requirements. Don't worry, dcrypt does not have any dependencies of its own.
composer require "mmeyer2k/dcrypt:^13.2"
The dcrypt library helps application developers avoid common mistakes in crypto implementations that leave data at risk.
Safe usage of dcrypt's block cipher functions requires the use of a high entropy 256 bit (minimum) key. Keys should be passed into dcrypt in base64 encoded format. You are responsible for the randomness of your key!
Generate a new key on the linux CLI:
head -c 32 /dev/urandom | base64 -w 0 | xargs echo
Or with PHP...
<?php
$key = \Dcrypt\OpensslKey::create(32);
Since PHP 7.1 supports native AEAD encryption modes, using GCM would be safest option for most applications. Dcrypt will handle the AEAD authentication tag, SHA3-256 HMAC, initialization vector and encrypted message as a single unencoded string.
<?php
$key = '[...BASE64 KEY...]';
$encrypted = \Dcrypt\Aes::encrypt('a secret', $key);
$plaintext = \Dcrypt\Aes::decrypt($encrypted, $key);
If in doubt, use this example and don't read any further!
If you read to this point then you are an experienced cryptonaut, congrats! 👌 🤘
Several AES-256 encryption modes are supported out of the box via hardcoded classes.
Class Name | OpenSSL Cipher | Security Rating | Further Reading |
---|---|---|---|
Aes256Gcm or Aes |
aes-256-gcm |
😃 | wiki |
Aes256Ctr |
aes-256-ctr |
wiki | |
Aes256Cbc |
aes-256-cbc |
😑 | wiki |
Aes256Ofb |
aes-256-ofb |
😬 | wiki |
Aes256Cfb |
aes-256-cfb |
😯 | wiki |
Aes256Ccm |
aes-256-ccm |
😲 | wiki |
Aes256Ecb |
aes-256-ecb |
😡 | wiki |
Dcrypt is compatible with most OpenSSL ciphers and hashing algorithms supported by PHP.
Run openssl_get_cipher_methods()
and hash_algos()
to view supported options on your platform.
Use any cipher/algo combination by calling the OpensslStatic
class.
<?php
$encrypted = \Dcrypt\OpensslStatic::encrypt('a secret', $key, 'bf-ofb', 'crc32');
$plaintext = \Dcrypt\OpensslStatic::decrypt($encrypted, $key, 'bf-ofb', 'crc32');
Dcrypt's internal functions are easily extendable by overloading the OpensslBridge
class.
<?php
class BlowfishCrc32 extends \Dcrypt\OpensslBridge
{
const CIPHER = 'bf-ofb';
const ALGO = 'crc32';
}
$encrypted = BlowfishCrc32::encrypt('a secret', $key);
$plaintext = BlowfishCrc32::decrypt($encrypted, $key);
Feeling especially paranoid? Not sure which cipher methods and algos can be trusted? Why not try all of them.
<?php
$stack = (new \Dcrypt\OpensslStack($key))
->add('aes-256-ecb', 'snefru')
->add('aes-256-ofb', 'sha224')
->add('aes-256-cbc', 'sha256')
->add('aes-256-ctr', 'sha384')
->add('aes-256-gcm', 'sha512');
$encrypted = $stack->encrypt('a secret');
$plaintext = $stack->decrypt($encrypted);
By default, \Dcrypt\Exceptions\InvalidChecksumException
exception will be raised before decryption is allowed to proceed when the supplied checksum is not valid.
<?php
try {
$decrypted = \Dcrypt\Aes::decrypt('malformed cyphertext', $key);
} catch (\Dcrypt\Exceptions\InvalidChecksumException $ex) {
// ...
}
Be sure you understand the risks and inherent issues of using a stream cipher before proceeding.
- Each key should only be used once
- Data integrity can not be guaranteed
- https://en.wikipedia.org/wiki/Stream_cipher_attacks
- https://jameshfisher.com/2018/01/01/making-a-stream-cipher/
A novel counter-based stream cipher.
OneTimePad
uses SHA3-512 to output a keystream that is ⊕'d with the input in 512 bit chunks.
<?php
$encrypted = \Dcrypt\OneTimePad::crypt('a secret', $key);
$plaintext = \Dcrypt\OneTimePad::crypt($encrypted, $key);
OneTimePad
can use any hashing algorithm to generate the pseudorandom keystream.
<?php
$encrypted = \Dcrypt\OneTimePad::crypt('a secret', $key, 'whirlpool');
$plaintext = \Dcrypt\OneTimePad::crypt($encrypted, $key, 'whirlpool');
Generate random base62 string tokens with specified number of characters.
$token = \Dcrypt\Str::token(10);
Compare 2 strings in a time-safe manner.
$equal = \Dcrypt\Str::equal($known, $given);
Developing dcrypt has been a great journey for many years. If you find dcrypt useful, please consider donating.
LTC |
LN97LrLCNiv14V6fntp247H2pj9UiFzUQZ |
BTC |
3N7vhA6ghWb1VrP4nGA6m6mzA9T2ASCVEj |
ETH |
0xe14a56046f28fCEF56A0EA4a84973bDdFF546923 |
Or please consider checking out my dcrypt inspired encryption library for .NET, check out harpocrates.